Feedback: Eve V drivers - I would not install them

Hi,

Following up on Driver updates 15.12, I am a little perplexed about Eve’s handling of drivers… Team Eve is this really the way you like to share drivers / software updates with us?

  1. They are shared within the community. This is all great (fast updates, etc) but I wonder how many people will click some links if an malicious community member posts some driver links? -> An update should be posted in the community, only linking to the official website where we can find them (no direct downloads)
  2. They are hosted on different providers (Dropbox, Some CDN, …). Should I really follow a dropbox link for a driver download as the official way? -> Please host the drivers on your official eve Websites with https!
  3. They are unsigned. As such, anybody could change the drivers and nobody would be able to recognize that. -> Please sign your drivers appropriately (like hosting your files over https).
  4. Windows Defender’s SmartScreen feature is blocking me from installing the latest audio drivers.

As long as Eve is not providing signed drivers from a trusted source, I won’t install them and I also would not recommend anybody to do so either.
In fact, I am really shocked that Eve did that in first place. Let’s me wonder how secure my V is with all the IME problems and possible rootkits out there :frowning:

Cheers and Happy New Year :slight_smile:

5 Likes

Eve will push drivers through Windows update, and eventually host on eve-tech.com.

The method you mentioned earlier is the quickest deployment option for Eve right now. Besides, the drivers aren’t really necessary, only if you feel you need or want to try the new ones are you expected to download from those links.

3 Likes

Eve will also migrate to a new hosting company. I couldn’t find the thread.

1 Like

That is your choosing. As said EVE will put the drivers on their homepage soon(ish).

EVEryone can then choose if they trust the drivers or not.

6 Likes

Actually, I had the same thoughts but did not reacted so much because I do not have my V yet.

eve really has to pay attention about security. There are a lot of stages where the devices could be attacked:

  • Screen calibration comes to mind. The pc used for this can be highjacked.
  • At 4px the devices are obviously not in the best hands - so something can happen there.

I would love that the devices get some kind if seal right after production /calibration to have the chance to see if somebody at 4px (or others) had the chance to backdoor my device.
@Team, any chance for this?

There already is some seal there - without spoiling the unboxing I can only say ‘white parcel’

2 Likes

I’d poked a bit through the files and as I understand it, you only need the drivers if you want to hotfix the audio - the audio fix borks some other drivers so there are updates to fix those drivers as well. So if you can live with bad audio, you have no need to apply them at all.

P.S. as always, not an official statement from eve, just an opinion from a nosey fellow who likes looking at bat files.

Which ones does it bork? I thought I fixed that - please PM me the borked drivers & I’ll be sure to include fixes for those in an updated audio driver! :slight_smile:

1 Like

you did, don’t worry lol!

just sharing that as far as i can tell (as someone who isn’t employed by eve) the drivers updaters are safe to use (only caveat is the bork-then-fix thing) and if the audio fix isn’t a priority, users can wait for signed drivers.

Agree with “white seal” intact to demonstrate the factory packing and no interference en route from Shenzhen to your door

1 Like

That is so far so good - but how can you tell that the drivers you looked at are the same which are still available for download?

I would presume that if there is a new driver update, one should install it because it really affects the user’s experience. And as somebody stated, the audio quality is increased heavily.

As long as they are signed then and the default Windows SmartScreen filter enabled on the V is not blocking me from installing them … :wink:

1 Like

That depends on how much you trust Eve, those links are not community-editable.

One should install it, if the drivers are for something that you use, and would like an improvement in. If you’re somebody that never uses the speakers, and you don’t trust the links posted, don’t worry about it. None of these drivers contain any updates critical to the usage of the device, only improvements on specific things.

I’m sure you don’t have the best tires in the world on your car, yet you’re fine with what you have. Better tires do affect the user experience, but may not be worth the time, effort, and cost of attaining new tires.

1 Like

Well, there are reasons why drivers should be signed. For example, to check if anybody tampered with the file or to compare driver versions. Just hack a community account of a manager in this forum and badaboom, you’ll have 1000+ devices hijacked by posting a bad link. Or hack the underlying dropbox account. Whereas, if the driver is signed (best on an offline pc with a private key hopefully stored somewhere else), a much higher degree of malicious activity is needed.

I did never say I do not trust Eve … I just do not trust a dropbox link to an unsigned driver installation file which my default Windows on Eve blocks access to - even if I trust the person who was distributing it.

My feedback as experienced developer: This is NOT a way to go, even for fast update cycles, tryouts, etc… whatsoever. We are no longer in a try and error stage with prototypes here.

I really don’t know where this discussions goes or what metaphor the “I don’t have the best tires in the world” thingy is… I have bad speaker audio quality, I would like to test the new driver promising better quality, I wasn’t able to install them because Windows blocked access and I have serious doubts about the current driver distribution channel of Eve, I voiced my concern, I hope new & signed drivers will be released soon.

Cheers

9 Likes

Oh, so it was Chinese dust in my box and not British? :smiley:
Gotta clean your factory packing then :wink:

1 Like

Also as a developer, there’s no way I’d put out a hotfix (or whatever) that was unsigned. It just doesn’t happen. It shouldn’t be happening here either. Distribution channels… sometimes those are more ad-hoc at times (life happens), though I agree that the ideal is some type of secured channel, with https being the minimum on that scale. As long as it’s signed (by EVE-tech) then you know if you’ve got something “legit” or not, no matter the distribution channel. No “official” download link, and no signing? Not good.

Whomever the ONE person responsible for driver deployment (not necessarily the development person, though can be the same in a small company) should fix this permanently, and make it part of their “this is my responsibility” bucket of tasks. Signing at a minimum.

9 Likes

that is true, i cannot.

however what i am trying to say is that your concern - like most raised to date - is most certainly valid, however given the circumstances i am inclined to cut eve some slack.

we need to hold eve up to a standard that we expect from a reputable company, instead of implying things like that eve may purposefully make their platform open to rootkits.

i feel that we should take that into account and point out that this is something that must be improved upon. for example, i have no qualms with this:

they have said that future updates will be pushed through the proper channels, and i choose to see this event as an emergency ad-hoc fix that they wanted to push out ASAP to solve one of the biggest problems people were having with the V.

but yes, i do agree that how it was done was insecure and not good which is why i looked at the bat files in the first place (the barest of minimums to make sure that they weren’t downloading something i wouldn’t want), and if the next update is delivered in the same manner i will be right there with you calling them out on this unacceptable behaviour.

3 Likes

@iKirin, how is that a seal that 4PX has not tampered with the computer (not that I think they would). All the unboxing’s I’ve seen have the keyboard and other accessories inside the black box inside the ‘white parcel’. My understanding was that 4PX was responsible for putting the right keyboard/accessories in the box with the V. Or is this just a difference between how Vs were shipped to reviewers vs how they were shipped to backers?

Good point. So the seal is from 4px not from EVE…

Oh well, so my concerns are still there!!!

@Team? Any news on this?

Beat. F.

The white parcel contains the V and keyboard. Those are packaged in China before 4px gets their hands on it.
They come inside a bigger box where you have your accessories and potentially some small goodies :slight_smile: